Skip to content

Commit 7c57bd1

Browse files
KyFaStKyFaSt
committed
Add versioning for backup and restore of encryption keys
* only backup encryption keying material in versions 3.7+ * only backup current encryption key in versions 3.8+ * adds tests
1 parent 5d49ec2 commit 7c57bd1

File tree

4 files changed

+133
-12
lines changed

4 files changed

+133
-12
lines changed

share/github-backup-utils/ghe-backup-settings

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -78,8 +78,16 @@ backup-secret "management console password" "manage-password" "secrets.manage"
7878
backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
7979
backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
8080
backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
81-
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
82-
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
81+
82+
# backup encryption keying material for GHES 3.7.0 onwards
83+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
84+
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
85+
fi
86+
87+
# backup current encryption key for GHES 3.8.0 onwards
88+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
89+
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
90+
fi
8391

8492
# Backup argon secrets for multiuser from ghes version 3.8 onwards
8593
if [[ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" && "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.2)" ]]; then

share/github-backup-utils/ghe-restore-column-encryption-keys

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,17 @@ ghe_remote_version_required "$GHE_HOSTNAME"
2626
# Path to snapshot dir we're restoring from
2727
: ${GHE_RESTORE_SNAPSHOT_PATH:="$GHE_DATA_DIR/current"}
2828

29-
# Restore encrypted column encryption keying material if present
30-
log_info "Restoring encrypted column encryption keying material"
31-
restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
29+
# Restore encrypted column encryption keying material for GHES 3.7.0 onward
30+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
31+
log_info "Restoring encrypted column encryption keying material"
32+
restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
33+
fi
34+
35+
# Restore encrypted column current encryption key for GHES 3.8.0 onwards
36+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
37+
log_info "Restoring encrypted column current encryption key"
38+
restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
39+
fi
3240

33-
# Restore encrypted column current encryption key if present
34-
log_info "Restoring encrypted column current encryption key"
35-
restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
3641

3742
bm_end "$(basename $0)"

test/test-ghe-backup.sh

Lines changed: 56 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -555,7 +555,18 @@ begin_test "ghe-backup takes backup of kredz-varz settings"
555555
)
556556
end_test
557557

558-
begin_test "ghe-backup takes backup of encrypted column encryption keying material"
558+
begin_test "ghe-backup does not take backup of encrypted column encryption keying material for versions below 3.7.0"
559+
(
560+
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
561+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
562+
563+
GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
564+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
565+
566+
)
567+
end_test
568+
569+
begin_test "ghe-backup takes backup of encrypted column encryption keying material for versions 3.7.0+"
559570
(
560571
set -e
561572

@@ -567,6 +578,22 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
567578
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
568579
done
569580

581+
# GHES version 3.7.0
582+
GHE_REMOTE_VERSION=3.7.0
583+
584+
ghe-backup
585+
586+
required_files=(
587+
"encrypted-column-encryption-keying-material"
588+
)
589+
590+
for file in "${required_files[@]}"; do
591+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
592+
done
593+
594+
# GHES version 3.8.0
595+
GHE_REMOTE_VERSION=3.8.0
596+
570597
ghe-backup
571598

572599
required_files=(
@@ -580,7 +607,18 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
580607
)
581608
end_test
582609

583-
begin_test "ghe-backup takes backup of encrypted column current encryption key"
610+
begin_test "ghe-backup does not take backup of encrypted column current encryption key for versions below 3.8.0"
611+
(
612+
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
613+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
614+
615+
GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
616+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
617+
618+
)
619+
end_test
620+
621+
begin_test "ghe-backup takes backup of encrypted column current encryption key for versions 3.8.0+"
584622
(
585623
set -e
586624

@@ -592,6 +630,22 @@ begin_test "ghe-backup takes backup of encrypted column current encryption key"
592630
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
593631
done
594632

633+
# GHES version 3.8.0
634+
GHE_REMOTE_VERSION=3.8.0
635+
636+
ghe-backup
637+
638+
required_files=(
639+
"encrypted-column-current-encryption-key"
640+
)
641+
642+
for file in "${required_files[@]}"; do
643+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
644+
done
645+
646+
# GHES version 3.9.0
647+
GHE_REMOTE_VERSION=3.9.0
648+
595649
ghe-backup
596650

597651
required_files=(

test/test-ghe-restore.sh

Lines changed: 56 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,18 @@ begin_test "ghe-restore with no pages backup"
281281
)
282282
end_test
283283

284-
begin_test "ghe-restore with encrypted column encryption keying material"
284+
begin_test "ghe-restore does not restore encrypted column encryption keying material for versions below 3.7.0"
285+
(
286+
GHE_REMOTE_VERSION=2.1.10 ghe-restore -v -f localhost | grep -q "encrypted column encryption keying material not set" && exit 1
287+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material"]
288+
289+
GHE_REMOTE_VERSION=3.6.1 ghe-restore -v -f localhost | grep -q "encrypted column encryption keying material not set" && exit 1
290+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
291+
292+
)
293+
end_test
294+
295+
begin_test "ghe-restore with encrypted column encryption keying material for versions 3.7.0+"
285296
(
286297
set -e
287298
rm -rf "$GHE_REMOTE_ROOT_DIR"
@@ -295,6 +306,21 @@ begin_test "ghe-restore with encrypted column encryption keying material"
295306
echo "foo" > "$GHE_DATA_DIR/current/$file"
296307
done
297308

309+
# GHES version 3.7.0
310+
GHE_REMOTE_VERSION=3.7.0
311+
312+
ghe-restore -v -f localhost
313+
required_secrets=(
314+
"secrets.github.encrypted-column-keying-material"
315+
)
316+
317+
for secret in "${required_secrets[@]}"; do
318+
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
319+
done
320+
321+
# GHES version 3.8.0
322+
GHE_REMOTE_VERSION=3.8.0
323+
298324
ghe-restore -v -f localhost
299325
required_secrets=(
300326
"secrets.github.encrypted-column-keying-material"
@@ -306,7 +332,19 @@ begin_test "ghe-restore with encrypted column encryption keying material"
306332
)
307333
end_test
308334

309-
begin_test "ghe-restore with encrypted column current encryption key"
335+
336+
begin_test "ghe-restore does not encrypted column current encryption key for versions below 3.8.0"
337+
(
338+
GHE_REMOTE_VERSION=2.1.10 restore -v -f | grep -q "encrypted column current encryption key not set" && exit 1
339+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
340+
341+
GHE_REMOTE_VERSION=3.7.0 restore -v -f | grep -q "encrypted column current encryption key not set" && exit 1
342+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
343+
344+
)
345+
end_test
346+
347+
begin_test "ghe-restore with encrypted column current encryption key for versions 3.8.0+"
310348
(
311349
set -e
312350
rm -rf "$GHE_REMOTE_ROOT_DIR"
@@ -320,6 +358,22 @@ begin_test "ghe-restore with encrypted column current encryption key"
320358
echo "foo" > "$GHE_DATA_DIR/current/$file"
321359
done
322360

361+
# GHES version 3.8.0
362+
GHE_REMOTE_VERSION=3.8.0
363+
364+
ghe-restore -v -f localhost
365+
required_secrets=(
366+
"secrets.github.encrypted-column-current-encryption-key"
367+
)
368+
369+
for secret in "${required_secrets[@]}"; do
370+
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
371+
done
372+
373+
374+
# GHES version 3.9.0
375+
GHE_REMOTE_VERSION=3.9.0
376+
323377
ghe-restore -v -f localhost
324378
required_secrets=(
325379
"secrets.github.encrypted-column-current-encryption-key"

0 commit comments

Comments
 (0)